dc44131 - crypto wars 2 - · pdf file• export controls eased on products including...
TRANSCRIPT
Crypto Wars 2.0DC44131
Michael Jack
mikey$ whoami
• 2nd Year Ethical Hacking BSc @ Abertay
• Member Abertay Ethical Hacking Society
• Crypto is bae
• @MikeyJck
What’s all this then?• Quick history of modern cryptography
• background on first Crypto Wars circa 1990s
• second crypto wars circa 2012
• wrap up
•🍺
before we begin
“At ever single level we as a community have forgotten that privacy as well as security need to be a goal” - Brendan O’Connor Defcon 21
Modern Cryptography
2015
• Data at Rest = AES or PGP
• Data in Motion = TLS1.2 or IPSEC
• Data in air = WPA2 or SNOW 3G(?)
The Internet• Elliptic Curve
• Diffie-Hellman
• EC Digital Signature Algorithm
• 128-bit AES GCM mode
• Protocol: TLS 1.2
• discrete log modulo prime (DSA)
The (Google’s) Internet• Elliptic Curve
• Diffie-Hellman
• RSA
• 128-bit AES GCM mode
• Protocol: QUIC
• discrete log in elliptic curve groups (ECDH)
• factoring integers into primes (RSA)
What is Modern Crypto?
• Colossus - Newman, Flowers et al @ Bletchley
• post World War II
• more accurately 1970s >
• NSA, GCHQ, IBM & Bell Labs
World War II• Enigma
(electromechanical)
• Broken by Marian Rejewski et al
• Continued decryption by Turning, Welchman et al @ Bletchley Park
Timeline 0x01• 1971 - IBM Lucifer Block Cipher (Watson Lab) Feistel
• 1973 - NBS asks for Data Encryption Standard (DES) designs
• 1973-4 - IBM develop & submit DES candidate
• 1974 - IBM discovers Differential Cryptanalysis, NSA gag order
• 1976 - Diffie & Hellman publish “New Directions in Cryptography”
• 1976 - After alterations by NSA IBMs design chosen as DES
• 1977 - “Method for Obtaining Digital Signatures and Public-Key Cryptosystems" by Rivest, Shamir & Adleman (RSA) @ MIT
Timeline 0x02• 1971 - IBM Lucifer Block Cipher (Watson Lab)
• 1973 - NBS asks for Data Encryption Standard (DES) designs
• 1973-4 - IBM develop & submit DES candidate
• 1973 - RSA invented by GCHQ (Cocks)
• 1974 - DH invented by GCHQ (Williamson)
• 1974 - IBM discovers Differential Cryptanalysis, NSA gag order
• 1976 - Diffie & Hellman publish “New Directions in Cryptography”
• 1976 - After alterations by NSA IBMs design chosen as DES
• 1977 - “Method for Obtaining Digital Signatures and Public-Key Cryptosystems" by Rivest, Shamir & Adleman (RSA) @ MIT
• 1984 - RC4 Stream Cipher RSA Labs (Rivest)
• 1991 - Pretty Good Privacy (PGP) Phil Zimmerman
• 1994 - Secure Sockets Layer (SSL) conceived @ Netscape
• 1999 - SSL Standardised by IETF > Transport Layer Security (TLS)
• 1999 - NIST wants DES successor > public competition for Advanced Encryption Standard (AES)
• 1999 - Wired Equivalent Privacy (WEP) RC4
Timeline 0x03
Timeline 0x04• 2001 - NIST approves Rijndael for use as AES
(FIPS 197)
• 2001 FIPS 180-4 released as SHA2
• 2004 - Wi-fi Protected Access 2 (WPA2)
• 2008 - TLS 1.2 RFC 5246
• 2015 - SHA3 (Keccak) standardised as FIPS 202
The Crypto Wars
– Doomed To Repeat History? Lessons from the Crypto Wars of the 1990s p4
In January
1991, Senator Joe Biden inserted new language into
the draft of an anti-terrorism bill, expressing a Sense
of Congress that electronic communications service
providers and equipment manufacturers “shall ensure
that communications systems permit the government
to obtain the plaintext contents of voice, data, and
other communications when appropriately authorized
by law.”
Clipper ChipNSA under Clinton gov 1993
Clipper Chip• Skipjack Block cipher 32 rounds 80bit key & DH
• Government hold a decryption key (split in two) for each chip
• Export controls eased on products including clipper
• lots of grass roots resistance
• many security/ crypto experts testify to congress
• Professor Matt Blaze
Export Restrictions• strong encryption considered “dual use” technology,
meaning it had both civilian and military applications
• ‘strong encryption’ ≥ 40-bits
• Strong opposition from industry
• Gov reports 1996, 1998 between $35B & $95B losses
• First Amendment issues
Crypto Wars 2.0
Bullrun & EdgehillTOP SECRET/ STRAP1
nsa$ whoamiNational Security Agency
• 2013 Budget: $10.8B
• $2.5B on data collection
• $1.6B on processing/ exploitation
• Upwards of 40k employees
• Created by Truman in secret 1952
• FISA/ National Security Letters/CALEA
gchq$ whoami
Government Communications HQ
• Originally founded 1919 as GC&CS
• Unique access to backbone infrastructure
• Upwards of 6k employees
• RIPA
Cryptanalysis is good
BULLRUN
• Ability to defeat encryption
• BULLRUN sources “extremely sensitive”
• TLS/ SSH/ OTR/ VPN/ VoIP/ etc
https://s3.amazonaws.com/s3.documentcloud.org/documents/784047/bullrun-guide-final.pdf
MUSCULAR
www.spiegel.de/media/media-35532.pdf
www.spiegel.de/media/media-35532.pdf
www.spiegel.de/media/media-35546.pdfCirca September 2005
www.spiegel.de/media/media-35546.pdf
National Intelligence Budget 2013DNI Statement
The Curious Case of the Dual_EC_DRBG
here be backdoors• RSA accepted $10M from NSA to use Dual EC
DRBG as default in BSAFE library (2004/5)
• RSA “relied on guidance from NIST”
• RSA claim they didn’t know it was weakened or contained a backdoor
• Dual_EC_DRBG withdrawn after NIST issues new guidlines Sept 2013
math • Constants that define the EC
• should be random
• NIST doesn't say how or where the constants come from
• If these constants were picked specially there is a ‘skeleton key’
• after recovery of 32bytes of output attacker can predict DRBG output
On the Practical Exploitability of Dual EC in TLS Implementations
Matt Green, DJB, Tanja Lange et al
Politics & Policy
‘Going Dark’
• As early as 2011 FBI talking about the issue to congressional committees
• iOS 8 (2014) Full Disk Encryption by default
• End of 2014 big push by high profile names for crypto backdoors
Correcting Misconceptions“misconception that building a lawful intercept solution… requires a so-called “back door,” one that foreign adversaries and hackers may try to exploit.
But that isn’t true. We aren’t seeking a back-door approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law.”James Comey Oct 2014
– David Cameron January 2015
“One is communications data, that is not the content of a phone call. It is just who made which call to which
person and when… And what matters, in simple terms is that we can access this data [on all platforms]… I have a very simple principle to apply here… in our country do
we want to allow a means of communication that in extremis we can’t read with a signed warrant…”
Crypto VIPs • FBI Director - James Comey
• GCHQ Director - Robert Hannigan
• MET Commissioner - Bernard Hogan-Howe
• UK Prime Minister - David Cameron
• UK Home Secretary - Theresa May
Here be Backdoors
Conclusions &
Questions